There are different reasons why you might want to disable MFA in Office 365. A user may have lost their phone or you want to migrate to a different MFA system. No matter what the reason is, we can quickly disable MFA for single or multiple users in Microsoft 365.
A recently had a user who lost his phone and wasn’t able to work until we received the new sim card. In these kinds of situations, we will need to disable MFA in Office 365 temporarily for the user, allowing him to register a new device.
In this article, I will explain the different options when it comes to remove MFA in Office 365, using PowerShell and the Microsoft 365 Admin Center.
Disable MFA in Office 365 with PowerShell
In most situations, you only want to disable MFA temporarily so the user is able to log in again and register a new device. In this case, we are not actually disabling MFA, but we are going to remove the authentication methods.
This way, the user can sign in again, after which Office 365 will force the user to set up MFA again.
Step 1 – Connect to Msol-Service
The first step is to connect to the Msol-Service in PowerShell:
Connect-MsolService # If you don't have the MsolService module installed, then install it with: Install-Module MSOnline
Step 2 – Get the user and remove authentication methods
We can now lookup the user and remove the authentionmethods. We do this by setting an empty list for the authention methods.
Get-MsolUser -UserPrincipalName adelv@lazyadmin.nl | Set-MsolUser -StrongAuthenticationMethods @()
The user can now log in again into Office 365. After entering the username and password the user is requested to enter more information to set up the MFA again.
If you want to disable MFA temporarily for all users you can simply change the Get-MsolUser cmdlet:
Get-MsolUser -All | Set-MsolUser -StrongAuthenticationMethods @()
Completely Disable MFA for a Single User in Office 365
It’s also possible to completely disable MFA for a user. I don’t recommend to keep the MFA disabled for a longer period. In some case you might need to turn it off for a couple of days until the user receive a new phone, for example.
For this we are also going to use PowerShell, which I personally find faster to work with then navigating through the admin center.
First, connect to the Microsoft Online Service
Connect-MsolService # If you don't have the MsolService module installed, then install it with: Install-Module MSOnline
Then we can remove the strong authentication requirements for the user in question:
Get-MsolUser -UserPrincipalName adelv@lazyadmin.nl | Set-MsolUser -StrongAuthenticationRequirements @()
The user can now log in to the Microsoft 365 service without the needs for MFA authentication. To enable MFA again you can either use the admin center or this PowerShell script.
Again, if you want to disable it for all users, simply change the Get-MsolUser cmdlet:
Get-MsolUser -All | Set-MsolUser -StrongAuthenticationRequirements @()
Using the Microsoft 365 Admin Center to disable MFA
If you don’t like to use PowerShell then it’s also possible to disable MFA in Office 365 through the Microsoft 365 Admin Center. The downside is that is sometimes takes a couple of minutes before it’s processed, but that is not a big deal.
- Open the Microsoft 365 Admin Center
- Expand Users and click on Active Users
- Click on Multi-Factor Authentication
- Select the user for which you want to disable MFA
- Click on Disable on the right side, below Quick Steps
Wrapping Up
Using PowerShell you can quickly disable MFA in Office 365, but keep in mind that accounts without MFA are vulnerable for phishing attacks. You can now also improve the MFA security by requiring a number validation or by showing the request location, read more about these new features in this article.
If you want to check the MFA status of your users then make sure you read this article which includes a free script to get and export the MFA status of all or a single users.
If you have questions, then just drop a comment below.
Do you know what the replacement for this method is since MSOnline is being retired by Microsoft?
At the moment there is not a complete replacement in MsGraph due to a lack of documentation. But rest assured, MSOnline will stay at least until dec 2022. I suggest you subscribe to the newsletter, so you stay informed when I have created the MsGraph alternative.